APT stalks the top firms, but most are in denial

The reality of advance persistent threats (APTs) is a menace to more firms than are aware of it. Chances are good your firm may be a victim and not even know it; maybe for a long time. The fact that most companies surveyed by ResearchNow on behalf of CounterTack only admit to a “slight” vulnerability is a sure sign that many companies are in denial. The 14% that admit that they are vulnerable show a clear understanding that APTs are a clear and present danger.

I believe that forward author Richard Stiennon is spot on with his assessment that if the respondents truly understood the sophistication of APT the figure would be closer to 100%.

The survey, conducted among CIOs, CISOs and senior security personnel in companies with $100 million or more was troubling in that so few who should know that the threat is real and, well, persistent. The fact that 32% of the folks who were surveyed say their staffs spend 50 hours a week or more analyzing malware speaks to the failure of antimalware, I think, more than the belief in APT.

Not all. But the fact that only a fraction of those believe their companies are vulnerable indicates otherwise. Those people “get it,” but they are too few. Far too few. Mostly the malware investigation points to customized malware, the failure to get signatures in reasonable time and ability of malware to change shape and form on a dime.

The most damning evidence is the lack of ability to counter the more serious blows. More than a third do not think they would be able to identify an exploited communications session, and more than a fifth if they modified a file or process. But the truly alarming evidence is that 44% have neither the time nor the resources to adequately train personnel to counter APTs. This is not surprising, and it is probably in reality much higher.

A advanced course in fighting APT is now available at SANs, but the instructor says that many of the participants are from third-party consultancies looking to expand their effective market. Or it’s the old get the training, out the door mentality. As soon as a trainer becomes sufficient in countering APTS, he’s off for greener pastures.

More than a third say they couldn’t spot a an attacker who got beyond their defense. Based on the other responses I’d say most companies would be lucky. It’s well established that a majority of company’s don’t find out about major attacks for months, even years, and then from third party attackers.

Some of the conclusions are somewhat flawed and self serving. The laundry list of security tools that companies spend the lion’s share of the money is hard to challenge, despite its lack of creative thinking. Where would you cut?

Similarly, where would you focus your energies? The largest number would spend more money on new technologies to keep intruders out. The rest are pretty equally spread on staff training and education (about what?), revamping internal processes, strategies and approaches (meaning exactly what), pushing new cyber intelligence technologies and forensic investigation.

This survey concludes that people are not waking up to APT fast enough, and that the attackers have already stolen a march on them. It’s a major problem. About half the companies have been victims of a targeted attack in the past year. I think it’s closer to 100 and the rest just don’t know.